(19) 



J) 



Europaisches Patentamt 
European Patent Office 
Office europeen d s brevets 





(12) 



(43) Date of publication: 

04.02.1998 Bull tin 1998/06 

(21) Application number; 97401802.0 

(22) Date of filing: 28.07.1997 



(n) EP 0 822 720 A1 

EUROPEAN PATENT APPLICATION 

(51) mta* H04N 7/167, H04N 7/16 



(84) Designated Contracting States: 


(72) Inventors: 


AT BE CH DE DK ES Fl FR GB GR IE IT LI LU MC 


• Campinos, Arnaldo 


NL PT SE 


92648 Boulogne Cedex (FR) 




• Fischer, Jean-Bernard 


(30) Priority: 29.07.1996 FR 9609501 


92648 Boulogne Cedex (FR) 


(71) Applicant: THOMSON Multimedia 


(74) Representative: Ruellan-Lemonnier, Brigitte 


. 92648 Boulogne Cedex (FR) 


THOMSON multimedia, 




46 quai A. Le Gallo 




92648 Boulogne Cedex (FR) 



(54) Conditional access system using messages with multiple encryption keys 



(57) The invention relates to a conditional access 
system making it possible for a service provider to sup- 
ply his services solely to users having acquired entitle- 
ments to these services. 

The services supplied by a service provider consist 
of an item scrambled by control words. To keep these 
control words secret, they are supplied in messages 
(MEC) after having been encrypted with an encryption 



algorithm with key K. 

According to the invention, one and the same mes- 
sage (MEC) contains the same control word (Cwi) en- 
crypted several times, each encryption (E(CWi)Kj) of the 
control word depending on a different encryption key 
(Kj). 

The invention applies to any type of conditional ac- 
cess system, be this system either of "off-line" or "on- 
line" type. 
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Description 

The present invention relates to a conditional ac- 
cess system. 

A conditional access system allows a s rvice pro- 
vider to supply his services solely to users having ac- 
quired entitlements to these services. Such is the cas , 
for example, in pay television systems. 

As is known to a person skilled in the art, the service 
supplied by a service provider consists of an item scram- 
bled by control words. The scrambled item can be de- 
scrambled, and therefore read by the user, only with re- 
gard to the entitlements allocated to this user. The 
scrambled item will subsequently be denoted IE(ECG), 
where ECG represents the unscrambled item. 

To descramble the item, the service provider sup- 
plies each user with the control words which served for 
scrambling the item. To keep the control words secret, 
they are supplied after having been encrypted with an 
algorithm with key K. The various encrypted control 
words are sent to the various users in messages which, 
for convenience, will be denoted MEC in the subsequent 
description. 

So as to accord access to its service solely to au- 
thorized users, the service provider supplies a smart 
card end a decoder to each of the users. 

The smart card makes it possible, on the one hand, 
to validate and record the entitlements which the user 
has to the service delivered and, on the other hand, to 
decrypt the encrypted control words. For this purpose, 
the smart card contains the key K of the algorithm which 
allowed the encryption of the control words. 

The decoder, for its part, makes it possible to de- 
scramble the scrambled item on the basis of the item 
consisting of the encrypted control words from the smart 
card. 

The entitlements of each user are sent in messages 
which, for convenience, will be denoted MD in the sub- 
sequent description. 

According to the prior art, a message MD dedicated 
to a user contains three main items: 

a first item giving the address of the user's card; 
a second item giving the description of the user's 
entitlements; 

a third item making it possible to validate the mes- 
sage MD and verify that the user's entitlements con- 
tained in the message MD are indeed the entitle- 
ments reserved for the user. 

As mentioned previously, the encrypted control 
words are sent to the users by way of the messages 
MEC. 

According to the prior art, a message MEC consists 
cf a header and a body: 

the header gives, among other things, the type and 
size of the items contained in the body of the mes- 



70 



sage MEC; 

the body consists, among other things, of an item 
containing the set of conditions of access to the 
service supplied by the provider, of an item contain- 
ing a control word encrypted with the algorithm with 
key K and of an item containing a datum depending 
on the k y K and making it possible to validat and 
verify the content cf the message MEC and, more 
particularly, access conditions contained in the 
message MEC. 



When the decoder of a user recognizes the address 
of the card associated therewith among the various ad- 
dresses distributed by the service provider, the mes- 
sage MD corresponding to the recognized address is 
analysed. The analysis of the message MD is performed 
with the aid of an analysis algorithm controlled by the 
encryption key of the control words. 

Conditional access systems are mainly of two 
20 types. 

A first system is commonly called an on-line system. 
In a conditional access system of the "on-line" type, the 
scrambled item I E (ECG) is an item consisting of a signal 
distributed simultaneously to the various customers of 

25 the service provider from a single source. This distribu- 
tion can be performed, for example, over the airways or 
else by cable. As is known to a person skilled in the art, 
in such a conditional access system, the messages 
MEC are sent by the service provider with the scrambled 

30 item IE (ECG). 

A second conditional access system is commonly 
called an off-line system. In a conditional access system 
of "off-line" type, the scrambled item IE (ECG) and the 
messages MEC are contained on off-line information 

35 media such as, for example, compact discs, digital video 
discs, or else digital optical discs. 

The invention will be more particularly described in 
the case of off-line systems. However, as will emerge 
later, the invention relates to any type of access control 

40 system, be this system either of off-line or on-line type. 
As mentioned previously, the key of the encryption 
algorithm for the control words is contained in each user 
card. It follows that the pirating of a single card may lead 
to the knowledge of the key K. The service supplied by 

45 the provider is then no longer protected. 

The service provider must then supply each user 
with a new card containing a new key K. Now, in the 
case of off-line systems, the off-line information medium 
constituted by, for example, the compact disc, the digital 

50 video disc or else the digital optical disc, has a fixed con- 
tent which it is not possible to modify To ensure the con- 
tinuity of the service he has to supply, the service pro- 
vid r is then compelled, not only to market new off-line 
information media compatible with the new encryption 

55 key, but also completely to renew the existing pool of 
off-line information media which he distributed before 
the change of ncryption key of th control words. 
This represents a drawback, specially in terms of 
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costs, since the number of off-line information media 
may frequently reach several hundred thousand, or 
even several million. 

The invention does not have this drawback. 

In general, the present invention relates to a novel 5 
conditional access system. 

More particularly, the invention also relates to a nov- 
el definition of the messages MEC, a novel user card, 
as well as a novel off-line information medium in the 
case of off-line systems. 10 

Thus, the invention relates to a message (MEC) 
making it possible to deliver conditions of access to a 
scrambled service intended for at least one user, the 
said message containing a first item consisting of a con- 
trol word encrypted by an algorithm with key K1 , a sec- is 
ond item, the content of which makes it possible to val- 
idate and verify the content of the message, the content 
of the second item being controlled by a key Q. The mes- 
sage contains n-1 additional items each containing the 
said control word encrypted by an encryption algorithm 20 
with respective keys K2, K3, .... Kj, Kn. 

The keys K1, K2, K3, .... Kn are different from one 
another. 

The invention also relates to a process making it 
possible to descramble a scrambled service (IE(ECG)) 25 
supplied to at least one user, the service being scram- 
bled with the aid of control words, the process compris- 
ing at least one step making it possible to supply the 
user with a message (MEC) containing a first item con- 
sisting of a control word encrypted with an algorithm with so 
key K1. The step makes it possible to distribute in the 
message n-1 additional items each containing the con- 
trol word encrypted by an algorithm with respective keys 
K2, K3; .... Kn. 

The keys K1, K2, Kn are different f rem one an- 35 
other. 

The invention also relates to a smart card making it 
possible to decrypt the encrypted control words which it 
receives, the encrypted control words being sent to the 
smart card via a message such as that mentioned above 40 
according to the invention. 

The invention also relates to a conditional access 
system making it possible for a service provider to sup- 
ply his services only to users having acquired entitle- 
ments to these services, the said services consisting of 45 
an item scrambled by control words, the said system 
comprising, for each user, at least one decoder and at 
least one user card, the said card containing, on the one 
hand, circuits making it possible to validate and record 
the user entitlements to the service delivered by the pro- so 
vider, the said entitlements being conveyed to the user 
card by a first message (MD) and, on the other hand, 
circuits making it possible to retrieve the control words 
from the control words encrypted by an algorithm with 
key K, the said encrypted control words being conveyed 55 
to the user card by a second message (MEC). The user 
card is a card such as that mentioned above according 
to the invention and the second message (MEC) is a 
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message such as that mentioned above according to 
the invention. 

The invention further relates to an off-line informa- 
tion medium containing an item scrambled by a string 
of N control words. The off-line information medium 
comprises p item strings consisting of N encrypted con- 
trol words, each it m string making it possible to de- 
scramble a scrambled item, p being an integer greater 
than or equal to 1 . 

The key of the encryption algorithm for the control 
words is contained in each user card. 

According to the invention, when the pirating of the 
user cards leads to the knowledge of the key of the en- 
cryption algorithm for the control words, the service pro- 
vider changes the key as well as the key index which 
are contained in the user cards by choosing a new en- 
cryption algorithm key as well as a new key index from 
among the keys and the key indices already contained 
in the messages MEC. 

In the case of off-line systems, for example, an ad- 
vantage of the invention is to prevent the change of en- 
cryption algorithm key for the control words from entail- 
ing the renewal of the entire pool of off-line information 
media distributed before the change of key. 

Other characteristics and advantages of the inven- 
tion will emerge on reading a preferred embodiment giv- 
en with reference to the appended figures in which: 

Figure 1 represents a format of a message MEC 
according to the prior art; 

Figure 2 represents the schematic of a user card 
according to the prior art; 

Figures 3a and 3b represent two formats of a mes- 
sage MEC according to the invention; 
Figure 4 represents the schematic of a user card 
. operating with a message MEC according to Figure 
3a; 

Figure 5 represents the schematic of a user card 
operating with a message MEC according to Figure 
3b. 

In all the figures, the same labels designate the 
same elements. 

Figure 1 represents a format of a message MEC 
according to the prior art. 

The message MEC consists of a body C1 and a 
header 6, the content (H1 ) of which gives, among other 
things, the type and size of the items contained in the 
body C1. 

The body C1 comprises, among other things, a first 
item 1, the content (ID) of which makes it possible to 
identify the service provider, a second item 2 containing 
the set of access conditions associated with the service 
supplied by the provider, a third item 3, the content (I 
(K)) of which gives the index of the key K of the encryp- 
tion algorithm for the control words,- a fourth item 4 con- 
taining a control word Cwi encrypted with the algorithm 
with key K (E(Cwi)K) and a fifth item 5 containing a da- 
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turn H ASH K making it possible to validate and verify the 
content of the message MEC and, more particularly, ac- 
cess conditions contained in the message MEC. The da- 
tum HASH K is controlled by the key K for encryption of 
the control words. 

In Figure 1 , the control word Cwi represents the cur- 
rent control word, that is to say that making it possible 
to descramble the part of the program being read. As is 
known to a person skilled in the art, the message MEC 
which contains Cwi generally also contains a second 
control word. This second control word is the control 
word for the next descrambling period, that is to say the 
current control word of the message MEC which is to 
follow the message MEC which contains Cwi as current 
control word. It is so as not to needlessly encumber the 
drawing that this second control word has not been rep- 
resented in Figure 1. 

As is known to a person skilled in the art, the format 
of the message MEC described in Figure 1 is merely an 
MEC message format example. In particular, the order 
defining the succession of the various blocks 1 , 2, 3, 4, 
5 making up the message MEC can be modified. 

Figure 2 represents the schematic of a user card 
according to the prior art. 

The user card 7 contains five main circuits: 

a circuit 8 for validating the user's entitlements; 
a circuit 9 for storing the validated entitlements of 
the user; 

a circuit 1 0 for access control; 

a circuit 11 for validating the messages MEC; 

a circuit 12 for decrypting the encrypted control 

words. 

The validation circuit 8 makes it possible to perform 
on the messages MD the operations of user address 
recognition and user entitlements analysis. For this pur- 
pose, the validation circuit 8 contains the key K of the 
encryption algorithm. If the message MD is validated, 
the user's entitlements contained in the message MD 
are stored in the validated entitlements storage circuit 9. 

The circuit 11 for validating the messages MEC 
makes it possible to perform on the access conditions 
2 contained in the messages MEC operations identical 
to those performed by the validation circuit 8 on the us- 
er's entitlements contained in the messages MD. The 
validation circuit 11 contains the key K. 

The decryption circuit 12 makes it possible to de- 
crypt the control words. For this purpose, the decryption 
circuit 12 also contains the key K of the encryption al- 
gorithm for the control words. 

The access control circuit 10 compares the validat- 
ed access conditions with the validated entitlements of 
the user. If the validated access conditions correspond 
to the validated entitlements of the user, a signal S, em- 
anating from the access control circuit 10 and applied 
to the decryption circuit 1 2, authorizes decryption of the 
control words. In the contrary case, the signal S does 



not authorize decryption. 

At the completion of the various steps of the decryp- 
tion procedure, the decrypted control words Cwi are 
generated by the decryption circuit 1 2 so as to allow the 
5 descrambling of the scrambled item IE (ECG). 

Figure 3a represents a first MEC message format 
according to the invention. 

The message MEC consists of a body C2a and a 
header 1 3, the content (H2) of which gives, among other 
10 things, the type and size of the items contained in the 
body C2a. 

The body C2a comprises, among other things, an 
item 14, the content (ID) of which makes it possible to 
identify the service provider, n items Al, ... , Aj, .... An 

15 respectively containing the same control word Cwi en- 
ciphered with algorithms with respective keys K1, 
Kj , ... , Kn, n items DX1, Dxj, DXn containing the 
indices 1(K1), l(Kj), ...,l (Kn) making it possible to rec- 
ognize the respective keys K1, Kj , ... , Kn, an item 

20 15 containing the set of access conditions associated 
with the service supplied by the service provider, and an 
item 16 containing a datum HASH Q making it possible 
to validate and verify the content of the message MEC 
and, more particularly, access conditions contained in 

2S the message MEC. The datum HASH Q is controlled by 
a key Q preferably different from any one of the encryp- 
tion keys K1, .... Kj, Kn. 

According to a first embodiment of the invention, the 
algorithm with key Kj is the same irrespective of the rank 

30 j ( j = 1 , 2, .... n) of the key Kj. This may, for example, be 
the algorithm known by the abbreviation RSA ("Rl VEST 
SHAMIR ADLEMAN"), the algorithm known by the ab- 
breviation SDE ("Syndrome Decoding Engine"), or 
again the algorithm known by the abbreviation DES 

35 ("Data Encryption Standard"). 

According to the invention, the algorithm with key 
Kj can be identical or different for all or some of the keys 

Kj (j=1.2 n). 

Advantageously, according to a particular embodi- 

40 ment of the invention, the various keys Kj which are used 
successively may be chosen with size increasing with 
the rank j of the key Kj. Any pirates are then placed in a 
situation in which the pirating of the various keys is made 
increasingly difficult. 

45 According to Figure 3a, the various items constitut- 
ing the body of the message MEC according to the first 
format of the invention follow one another in a certain 
order. The invention relates, however, to the formats of 
messages MEC for which the order of the items is dif- 

50 ferent from that represented in Figure 3a. 

Figure 3b represents a second MEC message for- 
mat according to the invention. 

The message MEC consists of a body C2b and a 
header 17, the content (H3) of which gives, among other 

55 things, the type and size of the items contained in the 
bodyC2b. 

The body C2b comprises, among other things: 
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p items ID1 , ID2, IDK, ... IDp allowing each to iden- 
tify one of the p service providers, p being an inte- 
ger, 

n items All , .... A1j, ... , A1n, for the provider of rank 
1 , n being an integer, 

m items A21, ... , A2j, A2m, for the provider of 
rank 2, m being an integer, 
v items Ak1, ... , Akj, .... Akv, for the provider of rank 
k, v being an integer, 

w items Ap1, ... , Apj, .... Apw, for the provider of 
rank p, w being an integer, 

each of the n + m + ... + v + ... + w items A11, .... 
Akj, .... Apw containing, according to the preferred em- 
bodiment of the invention, the same control word Cwi 
encrypted with an algorithm with respective keys 
K11, Kkj, .... Kpw, 

n items DX11, .... DX1j, .... DX1n for the provider of 
rankl, 

m items DX21, .... DX2j t DX2n for the provider 
of rank 2, 

v items DXk1, .... DXkj, DXkv for the provider of 
rank k, 

w items DXp1, DXpj, DXpw, for the provider 
of rank p, 

each of the n + m + ... + v+ ... +w items DX11, ... , 
DXkj,..., DXpw containing the indices l(K11), .... I 
(Kkj), .... l(Kpw) making it possible to recognize, as will 
be specified later, the respective keys K11, .... Kkj, 
Kpw, the indices with keys l(Kk1), ... l(Kkj), l(Kkp) of 
the service provider of rank k (k = 1 , 2, p) defining an 
order k encryption keys index field, 

an item 18 containing the set of access conditions 
associated with the service supplied by the p serv- 
ice providers, the said access conditions being 
common to the p service providers according to the 
preferred embodiment of the invention, 
- a set of p data HASH Q1 , ... HASH Qk , ... , HASH Qp , 
the datum HASH Qk making it possible to validate 
and verify the content of the access conditions con- 
tained in the message MEC as well as that part of 
the message MEC associated with the service pro- 
vider of rank k. The datum HASH Qk is controlled by 
a key Qk. The keys Q1 , .... Qj, .... Qp being prefer- 
ably different from one another and different from 
the encryption keys Kkj, 

a set of pdatal(Q1), .... l(Qk), .... I (Qp) constituting 
a control keys index field, the key index l(Qk) mak- 
ing it possible, as will be specified later, to recognize 
datum HASH Qk . 

According to the above-described preferred em- 
bodiment of the invention, each of the n + m + ... + v + ... 
+ w items A11, .... Akj, Apw contain the same control 
word Cwi encrypted with an algorithm with respective 



keys K11, Kkj, .... Kpw. 

According to that embodiment of the invention de- 
scribed in Figure 3b, the access conditions 18 are com- 
mon to the p service providers. According to other em- 
5 bodiments of the invention, the access conditions are 
different from one service provider to another or from 
one group of service providers to another. 

As mentioned previously, the order in which the var- 
ious items constituting the body of the message MEC 
10 follow one another may be different from that represent- 
ed in Figure 3b. 

According to a particular embodiment of the inven- 
tion, the encryption algorithm with key Kkj of the service 
provider of rankk(k= 1, 2, p) is the same irrespective 
is of the rank j of the key Kkj. 

According to embodiments different from the partic- 
ular embodiment mentioned above, the encryption al- 
gorithm with key Kkj can be different according to the 
rank k of the key Kkj. 
20 As in the case of the message MEC described in 
Figure 3a, the various keys Kkj which are successively 
used by the same service provider may advantageously 
be of a size increasing with the rank j of the key Kkj so 
as to make pirating increasingly difficult. 
25 Figure 4 represents a user card operating with a 
message MEC according to Figure 3a. 

The user card contains five main circuits: 

a circuit 20 for validating the user's entitlements; 
30 - a circuit 21 for storing the validated entitlements of 
the user; 

a circuit 22 for access control; 
a circuit 23 for validating the messages MEC; 
a circuit 24 for decrypting the encrypted control 
35 words. 

The validation circuit 20 makes it possible to per- 
form on the messages MD the operations of user ad- 
dress recognition and user entitlements analysis. 

40 The analysis of the message MD is performed with 
the aid of an analysis algorithm depending on a key KC 
contained in the validation circuit 20. The key KC is pref- 
erably a different key from any one of the encryption 
keys Kj (j = 1 , 2, n). If the message MD is validated, 

45 the user's entitlements contained in the message MD 
are stored in the validated entitlements storage circuit 
21. 

The validation circuit 23 makes it possible to per- 
form on the access conditions contained in the messag- 

50 es MEC validation operations identical to those per- 
formed on the user's entitlements contained in the mes- 
sages MD. The validation of the messages MEC is per- 
formed with the aid of a validation algorithm controlled 
by the key Q. The key Q is contained in the circuit 23. 

55 The decryption of the encrypted control word E 
(Cwi)Kj is performed with th aid of the key Kj of the 
encryption algorithm when the key Kj is the key con- 
tained in the deciphering circuit 24. 
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When the key Kj is contained in the decryption cir- 
cuit 24, the latter also contains the index I (Kj) which 
makes it possible to recognize the encrypted control 
word E(Cwi)Kj from among the set of encrypted control 
words contained in the message MEC. When the control s 
word E(Cwi)Kj has been recognized, the latter is trans- 
ferred from the validation circuit 23 to the decryption cir- 
cuit 24. Decryption then takes place. 

The access control circuit 22 compares the validat- 
ed access conditions with the validated entitlements of 10 
the user. If the validated access conditions correspond 
to the validated entitlements of the user, a signal S, em- 
anating from the access control circuit 22, authorizes 
decryption of the control word. In the contrary case, the 
signal S does not authorize decryption. is 

As mentioned previously, the pirating of a user card 
may lead to the knowledge of the control words encryp- 
tion key contained in the user card. When pirating be- 
comes excessive, the service provider distributes new 
user cards. The decryption circuit for the control words 20 
of the new user cards then contains a new encryption 
key as well as a new encryption key index. 

The new encryption key as well as the new key in- 
dex are contained in the messages MEC according to 
the invention. 25 

In the case of off-line systems, to ensure the per- 
manence of his service, the service provider supplies 
his new customers with new off-line information media 
in which the control words encrypted with the key being 
pirated are deleted. 30 

As mentioned previously, advantageously, accord- 
ing to the invention, the off-line information media dis- 
tributed before the change of encryption key are still us- 
able after this change. Thus, the use of these informa- 
tion media can be performed either with a card contain- 35 
ing the new encryption key, or with an old card not con- 
taining the new encryption key. Likewise, and in recip- 
rocal manner, the off-line information media distributed 
after the change of encryption key can advantageously 
no longer be read with the user cards containing the old 40 
encryption key as is the case, particularly, in pirated 
cards. 

In the case of on-line systems, the service provider 
recovers the user cards containing the pirated key and 
replaces them with new cards containing a new encryp- 45 
tion key such as that mentioned above. 

Advantageously, a transient period in respect of the 
distribution of new user cards may then be established. 
Throughout the transient period, the messages MEC 
disseminated by the service provider contain control so 
words encrypted with the key being pirated and the con- 
trol words encrypted with the new encryption key. When 
all the user cards have been renewed, the service pro- 
vider now issues only messages MEC containing the 
new encryption key. 55 

By way of non-limiting example, the number of ver- 
sions of encryption of control words, that is to say the 
number of encryption algorithm keys for the control 



words, may be between 5 and 10. 

Figure 5 represents the schematic of a user card 
operating with a message MEC according to Figure 3b. 

The user card 25 of Figure 5 is the card associated 
with the service provider of rank k. 

The user card 25 contains five main circuits: 

a circuit 26 for validating the user's entitlements; 
a circuit 27 for storing the validated entitlements of 
the user; 

a circuit 28 for access control; 

a circuit 29 for validating the messages MEC; 

a circuit 30 for decrypting the encrypted control 

words. 

The circuits 26, 27 and 28 have functions identical 
to those of the respective circuits 20, 21 and 22 de- 
scribed previously. 

The analysis of the messages MD is performed with 
the aid of an analysis algorithm depending on a key KC 
contained in the validation circuit 26. The key KC is pref- 
erably a different key from the encryption key contained 
in the decryption circuit 30. 

The circuit 29 makes it possible to perform the val- 
idation of the access conditions as well as that part of 
the message MEC associated with the service provider 
of rank k. For this purpose the circuit 29 contains the 
control key index l(Qk) making it possible to recognize 
the datum H ASH Qk within the message MEC as well as 
the key Qk making it possible to control the datum 
HASH Qk . 

The control words decryption circuit 30 contains the 
encryption key Kkj and the encryption key index l(Kkj). 

Validation of the access conditions contained in the 
messages MEC is performed with the aid of a validation 
algorithm controlled by the key Qk when the control 
words decryption circuit 30 contains the key Kkj and the 
index I (Kkj). 

The key index l(Kkj) makes it possible to recognize 
the encrypted control word E(Cwi)Kkj from among the 
set of encrypted control words. When the control word 
E(Cwi)Kkj has been recognized, the latter is transferred 
from the validation circuit 29 to the decryption circuit 30. 
The decryption of the encrypted control word E(Cwi)Kkj 
is then performed with the aid of the key Kkj of the en- 
cryption algorithm. 

According to the preferred embodiment of the in- 
vention, the message MEC described in Figure 3a com- 
prises an encryption keys index field and the message 
MEC described in Figure 3b comprises p encryption 
keys index fields and one control keys index field. As 
mentioned previously, these keys indices allow recog- 
nition by the user card of the data associated with them. 

According to other embodiments of the invention, 
the messages MEC contain no encryption keys indices 
and/or control keys indices. The control words to be de- 
crypted and the data making it possible to validate the 
messages MEC are recognized by the user card by vir- 
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tue of their ordering and their size. In a manner known 
per se, the circuits 24 and 30 then contain items neces- 
sary for recognizing the ordering and size of the control 
words to be decrypted and the circuit 29 contains items 
necessary for recognizing the ordering and size of the 
data making it possible to validate and verify the mes- 
sages MEC. 

Irrespective of the type of message MEC of the in- 
vention, the invention relates, in the case of off-line sys- 
tems, to an off-line information medium containing an 
item scrambled by a string of N control words, charac- 
terized in that it comprises p strings of items consisting 
of N encrypted control words, each string of items mak- 
ing it possible to descramble the scrambled item, p be- 
ing an integer greater than or equal to 1 . 

The string of items consisting of the N encrypted 
control words consists of a string of identical encrypted 
control words, each control word being encrypted with 
an algorithm with different key 

Thus, the off-line information media according to 
the invention contain messages MEC such as those de- 
scribed in Figure 3a or Figure 3b. According to the in- 
vention, the messages MEC contained on the off-line 
information media then contain all the items necessary 
for descrambling the entire scrambled item. 

Figures 3a and 3b therefore also constitute a sym- 
bolic representation of two MEC message format exam- 
ples contained on the off-line information media accord- 
ing to the invention. 

In the case in which the information medium con- 
tains several strings of items making it possible to de- 
scramble the scrambled item, each string of items is 
preferably associated with a different service provider. 

The insertion of the messages MEC within the item 
contained on the off-line medium may be performed, by 
way of example, with the aid of the standard known to 
a person skilled in the art by the name "MPEG - 2 Sys- 
tem". In the case in which storage of the item on the off- 
line medium is not compatible with the "MPEG - 2 Sys- 
tem" standard, another mode of insertion of the mes- 
sages MEC consists, for example, in retaining only one 
or a few messages MEC, for example 2 or 3 messages 
MEC, with the entirety of the programs contained on the 
medium and in placing these messages MEC in the 
header of each of the programs or of any other structure 
having a magnitude sufficient to store these few mes- 
sages MEC. 

According to a particular embodiment of the system 
described in Figure 5, several different service suppliers 
can distribute identical programs on the same off-line 
information medium such as, for example, a digital video 
disc. 

Advantageously, each service provider is then not 
compelled to press his own digital video discs. Various 
service providers can thus offer, on the same medium, 
all or some of their services at lesser cost without mu- 
tually disclosing their respective keys of the control 
words encryption algorithm. 



The advantage described above in the context of 
an off-line system applies also in the context of an on- 
line system. Several disseminators of programs can 
then offer access to the same program using messages 
5 MEC such as those described in Figure 3b. 

The invention also has anoth r advantage in the 
context of on-line systems. 

Thus, in the context of on-line systems prohibiting 
any copying in clear of the scrambled programs dissem- 
10 inated, the invention allows the various service provid- 
ers to control the use of copies and/or recordings of the 
scrambled programs. Thus, to see the copies and/or the 
recordings of the scrambled programs in clear, the users 
are then compelled to request entitlements from the 
15 service provider. The reading of the copies and/or the 
recordings is then conditioned by the presence or oth- 
erwise of the corresponding entitlements in the user's 
card. 

All the advantages mentioned previously in respect 
20 of the off-line information media used in the context of 
the invention therefore also appertain in respect of the 
copies and/or the recordings of scrambled programs. 



1. Message (MEC) making it possible to deliver con- 
ditions of access (2) to a scrambled service intend- 
ed for at least one user, the said message (MEC) 

30 containing a first item (4, Al) consisting of a control 
word (Cwi) encrypted by an encryption algorithm 
with key K1 , a second item (5), the content (HASH K ) 
of which makes it possible to validate and verify the 
content of the said message (2), the content of the 

35 second item being controlled by a key Q, character- 
ized in that it contains n-1 additional items each con- 
taining the said control word (Cwi) encrypted by an 
encryption algorithm with respective keys K2, 
K3, Kj, .... Kn. 

40 

2. Message (MEC) according to Claim 1 , character- 
ized in that it contains n additional items, the content 
of which consists of the key indices l(K1), .... I 
(Kj), .... l(Kn), the key index l(Kj) being associated 

45 with the key Kj (j = 1, 2, .... n). 

3. Message (MEC) according to Claim 1 or 2, charac- 
terized in that the key Q making it possible to control 
the second item is a different key from all the en- 

50 cryption algorithm keys K1, K2, .... Kj, Kn. 

4. Message (MEC) according to Claim 1 , 2 or 3, char- 
acterized in that the various keys Kj (j = 1, 2, .... n) 
have a size increasing with the rank j of the key Kj. 



55 

5. Message (MEC) making.it possible to deliver con- 
ditions of access (2) to a scrambled service deliv- 
ered by a first service provider to at least one user, 



25 Claims 
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the said message (MEC) containing a first item (1), 
the content (ID1 ) of which makes it possible to iden- 
tify the first service provider, a second item (4, All) 
consisting of a control word (Cwi) encrypted by an 
encryption algorithm with key K11, a third item (5), 
the content (HASH K ) of which makes it possible to 
validate and verify the content of th message, the 
content of the third item being controlled by a key 
Q1, characterized in that it contains p-1 additional 
items (ID2, ID3, IDk, .... IDp) making it possible 
to identify p-1 service providers different from the 
first provider and, for each service provider of rank 
k (k = 1 , 2, .... p), v k additional items each containing 
a control word encrypted by an encryption algorithm 
with respective keys Kk1, kk2, .... Kkj, Kkv. 

6. Message (MEC) according to Claim 5, character- 
ized in that it comprises p key index fields l(Kk1), I 
(kk2), ... , l(Kkj), .... I (Kkv) (k = 1, 2, .... p), the key 
index I (Kkj) being associated with the key Kkj. 

7. Message (MEC) according to Claim 5 or 6, charac- 
terized in that the integer vk is different from one 
service provider to another or from one group of 
service providers to another. 

8. Message (MEC) according to Claims 5, 6 or 7, char- 
acterized in that it contains p-1 additional items 
(HASH Q2 . ... HASH Qp ), each of the p-1 additional 
items being associated with a service provider dif- 
ferent from the first service provider and containing 
a datum making it possible to validate and verify the 
conditions of access to the service as well as the 
content of the message relating to the service pro- 
vider with which the item is associated, the content 
of each of the p-1 additional items being controlled 
by a key which is individual thereto Q2, .... Qp. 

9. Message (MEC) according to Claim 8, character- 
ized in that the keys Q1 , Q2 . . . , Qp are different from 
all the encryption algorithm keys. 

10. Message (MEC) according to any one of Claims 5 
to 9, characterized in that the successive encryption 
keys of at least one service provider have a size 
increasing with the rank of the key. 

11. Message (MEC) according to any one of Claims 5 
to 10, characterized in that the control word con- 
tained in the vk items of each service provider of 
rank k is identical to the control word (Cwi) encrypt- 
ed by the encryption algorithm with key K11 con- 
tained in the said second item. 

1 2. Process making it possible to descramble a scram- 
bled service (I E (EGG)) supplied to at least one user, 
the said service being scrambled with the aid of con- 
trol words (Cwi), the said process comprising at 



least one step making it possible to supply the user 
with a message (MEC) containing a first item con- 
sisting of a control word (Cwi) encrypted with an al- 
gorithm with key K1 , characterized in that the said 
5 step makes it possible to distribute in the message 
(MEC) n-1 additional items each containing the said 
control word ( Cwi ) encrypted by an encryption al- 
gorithm with respective keys K2, K3, .... Kj, .... Kn. 

10 13. Process according to Claim 12, characterized in 
that the said step makes it possible to distribute to 
the user a second item (5), the content (HASH K ) of 
which makes it possible to validate and verify the 
content of the message, the content of the second 

is item being controlled by a key Q different from all 
the encryption algorithm keys K1, K2, .... Kj, .... Kn. 

14. Process according to Claim 12 or 13, characterized 
in that the service is distributed by a first service pro- 

20 vider. 

15. Process according to Claim 14, characterized in 
that the said step makes it possible to distribute to 
the user p-1 additional items (ID2, ID3, .... IDk, 

25 |Dp) making it possible to identify p-1 service pro- 
viders different from the first provider and, for each 
service provider of rank k (k = 1 , 2, .... p), vk addi- 
tional items each containing a control word encrypt- 
ed by an encryption algorithm with respective keys 

30 Kk1, Kk2, .... Kkj, .... Kkv. 

16. Process according to Claim 15, characterized in 
that the said step makes it possible to distribute p 
key index fields l(Kk1 ), l(Kk2), .... I (Kkv) (k = 1 , 2, .... 

35 p) ] the key index I (Kkj) being associated with the 
key Kkj. 

17. Process according to Claim 16, characterized in 
that the said step makes it possible to distribute p- 

40 1 additional items (HASH Q2 , ... HASH Q3 , .... 
HASH Qp ), each of the p-1 additional items being as- 
sociated with a service provider different from the 
first service provider and containing a datum mak- 
ing it possible to validate and verify the conditions 

45 of access to the service as well as the content of 
the message relating to the service provider with 
which the item is associated, the content of each of 
the p-1 additional items being controlled by a control 
key (Q2, .... Qp) which is peculiar to the item. 

50 

18. Process according to Claim 17, characterized in 
that the p control keys (Q1 , Q2, .... Qp) are different 
from the encryption algorithm keys of the control 
words. 

55 

19. Process according to any one of Claims 15 to 18, 
characterized in that the control word contained in 
the vk items of each service provider of rank k is 
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identical to the control word (Cwi) encrypted by the 
algorithm with key K1 contained in the said first 
item. 

20. Smart card making it possible to decrypt the en- 
crypted control words which it receives, the control 
words being encrypted by an algorithm with key Kkj 
and making it possible, after decryption, to de- 
scramble a scrambled service supplied by a first 
service provider, the card containing at least one cir- 
cuit making it possible to validate the conditions of 
access to the service, the said validation circuit con- 
taining a control key making it possible to control 
the validation of the conditions of access, charac- 
terized in that the said control key (Q) is different 
from the key Kkj of the encryption algorithm of the 
control words. 

21 . Smart card according to Claim 20, characterized in 
that it comprises a circuit (20, 26) for validation of 
the user entitlements to the service supplied by the 
provider, the said circuit (20, 26) for validation of the 
user entitlements containing a control key (KC) 
making it possible to control the validation of the us- 
er entitlements and in that the control key (KC) mak- 
ing it possible to control the validation of the user 
entitlements is different from the control key (Q) of 
the validation of the conditions of access. 
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25. Conditional access system making it possible for a 
service provider to supply his services only to users 
having acquired entitlements to these services, the 
said services consisting of an item scrambled by 
control words, the said system comprising, for each 
user, at least one decoder and at least one user 
card, the said card containing, on the one hand, cir- 
cuits making it possible to validate and record the 
user entitlements, the said entitlements being con- 
veyed to the user card by a first message (MD) and, 
on the other hand, circuits making it possible to re- 
trieve the control words from the control words en- 
crypted by an algorithm with key K, the said encrypt- 
ed control words being conveyed to the user card 
by a second message (MEC), characterized in that 
the user card is a card according to either of Claims 
22 or 23 and in that the second message (MEC) is 
a message according to any one of Claims 5 to 11 . 

26. Conditional access system according to Claim 24 
or 25, characterized in that it is of the "on-line" type. 

27. Conditional access system according to Claim 24 
or 25, characterized in that it is of the "off-line" type. 



25 



22. Smart card according to Claim 20 or 21 , character- 
ized in that the circuit (29) making it possible to val- 
idate the conditions of access to the service com- 
prises means making it possible to recognize the 
control key for validation of the access conditions. 

23. Smart card according to Claim 22, characterized in 
that the said means consist of a control key index I 
(Qk). 
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24. Conditional access system making it possible for a 
service provider to supply his services only to users 
having acquired entitlements to these services, the 
said services consisting of an item scrambled by 
control words, the said system comprising, for each 
user, at least one decoder and at least one user 
card, the said card containing, on the one hand, cir- 
cuits making it possible to validate and record the 
user entitlements, the said entitlements being con- 
veyed to the user card by a first message (MD) and, 
on the other hand, circuits making it possible to re- 
trieve the control words from the control words en- 
crypted by an algorithm with key K, the said encrypt- 
ed control words being conveyed to the user card 
by a second message (MEC), characterized in that 
the user card is a card according to either of Claims 
20 or 21 and in that the second message (MEC) is 
a message according to any one of Claims 1 to 4. 
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